Germany: Data Protection Officers must not have a conflict of interest

The GDPR requires the appointment of data protection officers (DPO) if core activities of controllers or processors might lead to relevant risks for individuals when processing personal data. 

In addition, in Germany companies must appoint a DPO already if they employ at least 20 persons for the automated processing of personal data. 

According to Art. 38 para 6 GDPR, the controller or processor shall ensure that any further tasks and duties of the appointed DPO do not result in a conflict of interests. 

This does usually preclude persons that are, in addition to their role as DPO, responsible for the processing of personal data like head of IT, HR or Marketing in the very organization, since it would preclude these persons from independently monitoring the data protection compliance of the organization in their other field of duty.

In Germany, the supervisory authority of Berlin recently informed about a case in which it fined a company with 525.000 EUR for ignoring these requirements when appointing a DPO (see press release 20.9.2022): The DPO of the company was also the managing director of two service companies that processed personal data on behalf of the very company for which he worked as a DPO. These service companies provided customer service and executed orders. The DPO thus had to monitor compliance with data protection law by the service companies operating within the scope of commissioned processing, which were managed by him as managing director. All companies are part of an e-commerce group of companies.

Already in 2021, the supervisory authority issued a warning against the company when realizing the conflict of interests of the DPO. Since a company inspection by the supervising authority in 2022 showed that the violation continued despite the warning, the authority imposed the fine, which is not yet legally binding.

For the rather high amount of the fine, the authority considered:

In favor of the company, reducing the amount, the supervising authority considered the extensive cooperation and the remediation of the violation during the fine proceedings.

The case shows in addition to the requirement to appoint DPOs without a conflict of interest that previous warnings of the supervisory authority should be considered carefully and remedied as soon as possible.

In addition, the mainly anonymized press release might refer to another German court order whose reasoning has been published in summer 2022 (LG Hamburg, court order 28.10.2021, file reference 625 Qs 21/21 OWi) : In 2020, the supervisory authority of Hamburg publicly informed about a fine of ca. 35 million EUR against the German H&M subsidiary due to illegal monitoring of employees. Later on, several companies and individuals requested a copy of the fine notice, allegedly to understand the concept of fine calculation by the supervising authority. 

The regional court of Hamburg found the issuance of the (redacted) fine notice to certain individuals and companies by the supervisory authority to be unlawful. The court especially stated that – contrary to judgements following public court proceedings – fine proceedings are regularly not public. 

If the addressee of a penalty notice decides to allow the penalty notice to become final without a public court session, the addressee needs not generally expect that information from the proceedings (including the name of the party) will be disclosed by the supervising authority to uninvolved third parties or the public. Neither the GDPR nor the German privacy act would provide an explicit basis for the publication of penalty decisions, not even redacted ones.

This might in the future lead to rather anonymized public information by German supervisory authorities when exercising their powers under Art. 58 GDPR against controllers and processors.